Alerting

Folder Monitoring and Alert

hxa27
Path Finder

Hi,

I am trying to monitor a folder and send alert notification. The idea of this task is to monitor the folder and check the files in the folder are getting processed then the files are moved to another application. The task is to send an alert for the files which take longer than period of time which I set up. Any suggestion will be helpful

Thanks

Tags (3)
0 Karma

lguinn2
Legend

I would probably write a scripted input that collected the names of the files in the folder (perhaps with additional information) on a regular schedule - maybe once a minute. Assume that I have a field named filename and that I have placed the data in a sourcetype named appMonitor. Finally, I want to report files that have been in the directory for more than 5 minutes (600 seconds).

sourcetype=appMonitor
| stats range(_time) as timeInQueue by filename
| where timeInQueue > 600

Save this search and set it to run every 10 minutes over the prior 10 minutes. Set it to alert when the number of results is > 0.

Obviously you can adjust time ranges, etc. from this example.

0 Karma

lguinn2
Legend

Okay, my solution requires that the scripted input collects the file name. So you need to write a script that Splunk runs. In your Add Data, you will specify that script. You will not specify either the folder name or the file names.

Of course, your script will have to read the names of the files in the folder. If your script can't get the file names, this solution will not work.

0 Karma

hxa27
Path Finder

I am trying to have kind of different configuration in order to monitor the folder but I don't have permission to do so. Is there another way to do it ? because when I try to add Data; I could not choose the folder I have to choose the file which I do not want to.

Any suggestion will be helpful

0 Karma

hxa27
Path Finder

Thanks for the response.
I cannot collect the file names because they are changing all the times. So, I am just trying to monitor the folder without specifying any filenames.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...